Regulators' Increased Focus on Systems and Controls Environment
As expected, there has been a marked increase in the level of regulation, regulatory supervision and regulatory sanctions in the wake of the 2008 financial crisis. Between 2008 and 2012 €1.5 trillion in state aid was introduced throughout Europe to prevent another financial crisis occurring. Regulatory enhancement is cyclical and, following a financial crisis, history dictates a call for a strengthening of regulatory supervision and intervention. To address these calls and to enhance financial stability, the European Union ("EU") coordinated with its international counterparts in the G20 and developed a regulatory reform agenda which included over forty proposals to be introduced over a five year period.
The objectives of this reform agenda included: the enhancement of financial stability and resilience of the financial system; the restoration of the EU single market; protection of investors and consumers; and improved efficiency and minimisation of transaction and financial services costs.
In Ireland, the Taoiseach (Irish Prime Minister) launched the 'Strategy for the International Financial Services Industry in Ireland 2011-2016' which included the high level goal of the 'Proper and Effective Regulation of Financial Institutions and Markets'. To achieve this goal, the report set out a number of strategies for the Central Bank of Ireland ("Central Bank") to undertake which mostly reflected the G20 reform agenda. Financial institutions must also be conscious of upstream regulatory risk and impending legislative developments awaiting transposition or entry into force.
Such an enhanced focus on regulation and supervision inevitably leads to an increase in regulatory sanctions, both in terms of frequency and amount. In 2010, the Central Bank imposed eight fines on financial institutions totalling €2,248,700 whereas in 2013, sixteen fines were imposed totalling €6,350,000. A leading contributory factor to these sanctions being ineffective and deficient systems and controls environments. The table below sets out a summary of sanctions since 2010 and highlights the percentage of these imposed due to ineffective and deficient systems and controls.
|Systems and Controls Failures||2 (25%)||6 (60%)||7 (43.75%)||4 (25%)||6 (100%)|
Similarly in the UK, sanctions have frequently been issued for ineffective and deficient systems and controls environments. Since 2010, the average amount of regulatory sanction activity has increased as set out below. The following table illustrates this in summary form.
|Year||2010 (FCA)||2011 (FCA)||2012 (FCA)||2013 (FCA)||2014 (FCA)|
|Systems and Controls Failures||17 (58.62%)||9 (36%)||18 (66.66%)||16 (61.54%)||8 (44.44%)|
A recurring theme in this regard is the substantial proportion of fines for or with reference to ineffective and deficient systems and controls. In five of the six sanctions issued by the Central Bank in 2014, the Director of Enforcement in the Central Bank, Derville Rowland, has highlighted the importance of effective systems and controls frameworks, most notably stating in one sanction:
"The Central Bank views the existence and proper functioning of a firm’s policies, procedures, systems and controls as being fundamental to ensuring its compliance with its regulatory requirements. The existence of inadequate policies, procedures, systems and controls is an unacceptable risk to the Central Bank as it can be the basis for, and potentially leads to, large scale non-compliance with regulatory requirements."
PRISM, Themed Reviews, Enforcement Priorities and Financial Enquiry Panel
There continues to be a sustained increase in PRISM (Probability Risk and Impact SysteM) engagements by the Central Bank across all sectors rising from 2,198 engagements in 2012 (including pre-PRISM engagements) to 3,925 in 2013, highlighting a clear indication that the Central Bank is interacting with and scrutinising regulated financial institutions more frequently.
Regulated financial institutions should also be aware of the Central Bank's 'Programme of Themed Reviews' ("Reviews"). The Central Bank annually publish a list of Reviews that it intends to carry out separate to its reactive reviews and regular engagements, covering multiple financial sectors and focusing on specific areas of regulation. The principle behind the Reviews is that they "allow the Central Bank to monitor compliance with the relevant rules and requirements" set by the Central Bank. In anticipation of these Reviews, regulated financial institutions must have procedures in place documenting compliance and ensuring that the entity's obligations are documented to mitigate the risk of a Central Bank sanction, particularly in areas highlighted under the Reviews.
The Central Bank also publishes annually its "Enforcement Priorities" ("Priorities") which document its targeted areas for enforcement action. In 2014, the Central Bank set out fifteen Priorities specific to certain sectors including two applicable to all sectors - prudential requirements and systems and controls.
In October 2014, the Central Bank announced details of its new Financial Enquiry Panel ("FEP"), which comprises a panel of thirteen domestic and international legal and banking experts with the task of investigating potential breaches of banking rules by credit institutions and personnel. Included in the FEP is Fiona Muldoon, former Central Bank Director of Credit Institutions and Insurance Supervision. In line with the Central Bank (Supervision and Enforcement) Act 2013, the FEP has the power to fine up to €10 million or 10% of an entity's turnover. It can also ban and fine individuals up to €1 million, provided it does not bankrupt them.
The key observation to be made from this increased supervisory and regulatory activity is that regulated financial institutions need to be aware of the legal regulatory obligations applicable to their business and the need to have effective and robust systems and controls in place to monitor, record and stress test these obligations. Preparation and evidencing testing results is fundamental to documenting systems and controls. Where deficiencies are found, these need to be remedied and, in some instances, legal advice will need to be sought.
Fitness and Probity
In addition to the regulatory focus on financial institutions, the Central Bank's Fitness and Probity ("F&P") standards, enforceable under the Central Bank Reform Act 2010, highlight that the legal regulatory obligations extend further than just the regulated financial institution as a legal person, but to those persons in particular positions. Under the F&P standards, a person elected to a 'pre-approval controlled function' ("PCF") or a 'controlled function' ("CF") is required to be 'competent and capable' which compels the person to demonstrate that he or she:
"has a sound knowledge of the business of the regulated financial service provider as a whole, and the specific responsibilities that are to be undertaken in the relevant function;" and
"has a clear and comprehensive understanding of the regulatory and legal environment appropriate to the relevant function".
The message from the Central Bank is clear; those who hold a PCF or CF position must understand and be aware of their regulatory obligations and must be able to demonstrate their compliance with their obligations, much like regulated financial institutions. Failure to do so may lead to the Central Bank determining the individual to be unfit for their respective control function.
The Need to Show Awareness
Recent sanctions imposed by both the Central Bank and the FCA have highlighted that regulated financial institutions are required not only to be aware of their obligations, but also actively to test and demonstrate compliance with these obligations. A number of regulated financial institutions have received warnings and sanctions for not applying regulatory measures set out in legislation after identifying the need to apply them. These institutions should regularly test their compliance framework to ensure that the controls in place are effective, operational and accurate. Stringent risk based tests should be carried out on a continuous basis evidencing compliance with legal regulatory obligations.
Responsibility for compliance with legal regulatory obligations rests with senior management and a disconnect between management and the compliance function will be detrimental: this will reject badly on the firm's ability to demonstrate a proper compliance system. Information presented to senior management must be useful, accurate and of sufficient quality in terms of how the regulated financial institution is discharging its responsibilities. Senior management should establish and assess a positive compliance culture and evidence that culture in action.
The Central Bank is conducting an increased number of inspections and PRISM engagements. The cost set aside by regulated financial institutions to manage compliance risk is increasing in line with the rise in regulatory sanctions and the associated fines imposed. The Central Bank is concentrating on preventing regulatory breaches before they occur by scrutinising regulated financial institutions' systems and controls environments. The most important step a regulated financial institution can take in mitigating risk is to ensure the implementation of an effective and robust compliance environment and framework. This framework must be tested regularly and the results evidenced. Senior management are becoming more vulnerable than ever and must also take steps to demonstrate their compliance with applicable legal regulatory obligations. Clear reporting and escalation procedures in the event of any regulatory breaches or concerns must be established, and these breaches and concerns can only be identified by sufficient testing of a regulated financial institution's systems and controls.
If you would like further information, please speak with your usual Maples and Calder contact, or a member of the Financial Services Regulatory Enforcement Group.